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(54) AES Encryption circuit 

(57) A round processing unit in an encryption circuit 
comprises: a first Round Key Addition circuit (204) that 
adds a round key value to input data; an intermediate 
register/Shift Row transformation circuit (206) that tem- 
porarily stores the output of the first Round Key Addition 
circuit (204) and executes Shift Row transformation; a 
Byte Sub transformation circuit (207) Into which the val- 
ues of the Intermediate register/Shift Row transforma- 
tion circuit (206) are inputted and which executes Byte 
Sub transformation; a second Round Key Addition cir- 
cuit (208) into which the values of the intermediate reg- 
ister/Shift Row transformation circuit (206) are Inputted 



and which adds round key values; a Mix Column trans- 
formation circuit (210) that executes Mix Column trans- 
formation upon the outputs of the second Round Key 
Addition circuit (208); and a second selector (203) that 
outputs to the second Round Key Addition circuit (204) 
one of the outputs of a first selector (202), the Interme- 
diate register/Shift Row transformation circuit (206), the 
Byte Sub transformation circuit (207), and the Mix Col- 
umn transformation circuit (210). Such an encryption cir- 
cuit reduces a scale of circuit and can achieve a certain 
level of high-speed processing In the Implementation of 
the AES block cipher. 
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Description 

BACKGROUND OF THE INVENTION 
s Technical Field 

[0001] The present Invention relates to an encryption circuit for implementing in hardware the Rijndael algorithm, 
which is the next generation common key block encryption standard, known as the AES (advanced encryption stand- 
ard), and will replace the current common.key block encryption standard In the US, called DES. 

10 

Description of Related Art 

[0002] A great variety of services are being considered that Involve the Internet, Including electronic commerce and 

electronic money. These technologies are used not just in the daily Ih/es of individuals, but also In a wide range of 
is fields, Includingtransactionsamongcorporations and improving productivity. In particular, it is expected that encryption 

functions will be loaded onto smart cards and mobile handsets, for the purpose of verifying the identity of individuals, 

and that these technologies will be widely used for authentication, digital signatures, and data encryption. 

[0003] Common key cryptography Is used in these applications to prevent third parties from tapping on the Internet. 

The current standard adopted In the US for common key cryptography is DES; as its replacement, the AES (advanced 
so encryption standard), known as the Rijndael algorithm, has been selected to be next generation common key block 

cryptography standard, and this algorithm is becoming the new standard. (The AES draft Is available at http://csrc.nist. 

gov/pubilcatlons/drafts/dfips-AES.pdf) 

[0004] AES is a block cipher for processing in block lengths of 128 bits, and the encryption algorithm, as shown in 
FIG. 1 , is thought to be executable by an encryption circuit comprising a round function unit 20 and a key schedule 
25 unit 10. The round function unit 20 comprises an input register 21 that temporarily stores Input data, an XQR processing 
. unit 22 that XORs the input data and expanded key segment, a round processing unit 23, a final round processing unit 
24 and an output register 25 that temporarily stores output data, 

[0005] The round processing unit 23 comprises a Byte Sub transformation unit 31 , a Shift Row transformation unit 
32, a Mix Column transformation unit 33 anda Round Key Addition unft 34; the final round processing unit 24 performs 
30 the processing of the round processing unit 23 except for the Mix Column transformation 33; it comprises a Byte Sub 
transformation unit 35, a Shift Row transformation unit 36 and a Round Key Addition unit 37. 
[0006] Round processing Iterated; the number of rounds Nr including the final round depends on the key length 
inputted into the key schedule unjt 1 0, and is defined as shown in Table 1 . 

35 ' [Table 1] . . . 



Key Length and Number of Rounds 


Key Length 


Nr 


128bit 


10 


I92bit 


i2 


256bit 


14 



[0007] Thus for each key length round processing is executed NM times, and at the end the final round processing 
is executed. When the key length Is 128 bits, round processing is executed 9 times; when 192bits,11 times; and when 
256 bits, 13 times; and then in each case the final round processing Is executed. Round keys generated at the key 
schedule unit 10 are Inputted into the XOR processing unit 22, round processing unit 23 and final round processing 
unit 24. 

[0008] The key schedule unit 10 generates round keys.based on the key generation schedule specified In the AES 
draft; that algorithm Is shown in FIG. 2. 

[0009] The AES Proposal specification (AES Proposal: Rijndael, at http-y/csrc. nist.gov/encryption/aes/rijndael/RIJn- 
dael.pdf) introduces 2 hardware Implementations for AES block cipher circuits. 

[0010] One of these is a method for hardware Implementation, in 128 bit units, of all the functions shown in FIG. 1 
as they are (hereinafter, "conventional example 1 u ). In this case, for encryption and decryption, the onder of processing 
of the functions Is reversed, and thus It is necessary to prepare separate processing circuits for encryption and de- 
cryption. 

[0011] Also, because, as shown In Tablo 1 , it is necessary to change the number of times round processing is exe- 
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cuted depending upon the key length, It Is necessary to create circuits for each key length. 

[0012] Furthermore, because of the reversal of orderbetween encryption and decryption, the order of key generation 
in the key schedule unit 1 0 forthe round keys used in the round function unit 20 has to be reversed between encryption 
and decryption. Therefore, either there has to be 2 separate key schedule units, for encryption and for decryption, or 

5 a method has to be devised for using the key schedule unit 1 0 for both encryption and decryption. 

[0013] The secondmethod, as shown in FIG. 3, involves creating a coprocessor 50 that hasa Byte Sub transformation 
unit 51 and a Mix Column transformation unit 52, and Implementing in hardware only the Byte Sub transformation and 
the Mix Column transformation functions, and having all other functions incorporated as software into a program 41 , 
and then processing with a CPU 40 (hereinafter, "conventional example 2"). 

10 [0014] In this case, Byte Sub transformation and Mix Column transformation, which are unsuited for processing by 
the CPU 40 for reasons of processing time, are implemented in hardware as thecoprocessorSO, and the other process- 
ing is processed by the program 41 stored in the CPU, thus allowing the circuit scale to be reduced. 
[0015] If we suppose that the AES block cipher is to be incorporated Into a smart card or the like, the functions 
required of an encryption circuit would be to maintain a certain level of processing speed, while keeping the scale of 

is the circuit small. With these requirements, the conventionally proposed method of implementing all the functions in 
128-bit units results In the scale of circuit being too large, making the loading thereof onto a smart card difficult. With 
the method of Implementing In hardware only the Byte Sub transformation and the Mix Column transformation, and 
processing the other functions with software, there Is the problem of the processing speed requirements not being 
fulfilled. 

so [0016] Moreover, with the key schedule unit 10 that generates the round keys, if all the round keys are stored in 
memory, a large-capacity memory Is needed, and this would make the scale of circuit large. Therefore, in order to 
reduce the scale of circuit without reducing processing speed, it Is desirable to generate round keys with a circuit 
constitution that doe3 not require storing the entire expanded key in memory. 

25 SUMMARY OF THE INVENTION 

[001 7] It is an object of the present invention to present an encryption circuit that is small in scale and that can achieve 
a certain level of processing speed when Implementing the AES block cipher. 

[001 8] The present invention provides an encryption circuit mat generates from a cipher key a plurality of round keys 
so havi ng a number of bits corresponding to a predetermined processing block length and executing, for each processing 
block length, Input data and round key encryption/decryption processing, by means of a round function unit comprising 
an XOR operation unit that XORs the input data and one of the round keys and a round processing unit that iterates 
round- processing that Includes Byte Sub transformation, Shift Row transformation, Mix Column transformation and 
Round Key Addition, wherein: 

35 the round processing unit comprises: a first selectorthat segments input data Into execution block lengths smallerthan 
the processing block length; a first Round Key Addition circuit that adds the round key value to input data for each the 
execution block length; an intermediate register/Shift Row transformation circuit that temporarily stores the output of 
the first Round Key Addition circuit and executes Shift Row transformation using the processing block length; a Byte 

: Sub transformation circuit wherein the intermediate register/Shift Row transformation circuit value is inputted for each 
<o the execution block length and Byte Sub transformation is executed; a second Round Key Addition circuit wherein the 
intermediate register/Shift Row transformation circuit value is Inputted for each the execution block length and the 
round key value Is added for each the execution block length; a Mix Column transformation circuit executing Mix Column 
transformation on the output of the second Round Key Addition circuit; and a second selector that outputs to the first 
Round Key Addition circuit one output from among the outputs of the first selector, intermediate register/Shift Row 
45 transformation circuit, Byte Sub transformation circuit, or Mix Column transformation circuit. 

[0019] Here, the execution block length can be a multiple of 8 bits, the processing block length can be 128 bits and 
the execution block length can be 32 bits. 

[0020] Further, the key length of the cipher key can be any of 128 bits, 192 bits or 256 bits. 

[0021 ] Also, the Byte Sub transformation circuit can comprise a matrix operation unit for decryption that executes a 
so matrix operation on input data; a third selector that outputs either the Input data or the output of the matrix operation 
unit for decryption; an Inverse operation unit for executing an inverse operation on the data outputted from the third 
. selector, a matrix operation unit for encryption that executes a matrix operation on the data outputted from the Inverse 
operation unit; and a fourth selector that outputs either the output of the inverse operation unit or the output of the 
matrix operation unit for encryption . 

36 [0022] Further, the matrix operation unit for decryption and the matrix operation unit for encryption comprises an 
XOR circuit so as to perform 8-blt operations at one clock cycle and the matrix operation unit for decryption and the 
matrix operation unit for encryption comprises an XOR circuit so as to perform 1-bit operations at one clock cycle. 
[0023] Also, the intermediate register/Shift Row transformation circuit can be used for both encryption and decryption 
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through the reversal of order of input of shift data relating to amount of shift for data to be Inputted into the intermediate 
register/Shift Row transformation circuit, the input order for decryption being the reverse of the order for encryption. 
[0024] Further, the Mix Column transformation circuit can comprise a plurality of multiplication units with unique 
multipliers and an XOR circuit that performs XOR operations for the plurality of multiplication units, the Mix Column 

5 transformation circuit executing a matrix operation between data inputted Into each multiplication unit and the multiplier 
established for each multiplication unit. In this case, the Mix Column transformation circuit comprises 4 operation units 
having 4 multiplication units capable of 8-bit unit operations and XOR circuits that execute XOR operations based on 
the outputs of the 4 multiplication units. This multiplication units can control 2 multipliers and are used for both encryption 
and decryption and the multiplication units can be constituted to control addition values from high-order bits. 

10 [0025] Also, an encryption circuit can be constituted so as to have a key expansion schedule circuit that generates 
from the cipher key, as an expanded key segmented into bit numbers corresponding to the execution block length, a 
plurality of round keys with bit numbers corresponding to a predetermined processing block length. The key expansion 
schedule circuit comprises: 

is a fifth selector that segments a cipher key Into the number of bits corresponding to the execution block length and 

outputs the same; 

a shift register to which flip-flop circuits are connected at a plurality of stages, the flip-flop circuits latching data In 
units of the execution block length; 

a first XOR circuit that XORs the output of the final stage flip-flop circuit of the shift register with one constant 
20 selected from among a group of constants; 

a sixth selector Into which are inputted the outputs of those flip-flops of the shift register that are involved in oper- 
ations for encryption and the outputs of those flip-flops involved in operations for decryption, and which selectively 
outputs one of these; 

a Rot Byte processing circuit that rotates the output of the sixth selector; 
25 a seventh selector into which the output of the sixth selector and the output of the Rot Byte circuit is inputted and 

which selectively outputs one of these; 

a Sub Byte processing circuit that executes Byte Sub transformation oh the output of the seventh selector for each 
the execution block length; 

an eighth selector Into which the output of the sixth selector and the output of the Sub Byte processing circuit are 
so Inputted, and which selectively outputs one of these; 

a second XOR circuit that executes an XOR operation based on the output of the first XOR circuit and the output 
of the eighth selector; and 

a shift register unit selector'that selectively outputs, to those flip-flops of the shift register the outputs of which are 
subject to operations for encryption, either the output of the second XOR circuit or the output of the adjacent stage 

35 flip-flop. 

[0026] Here, the shift register comprises 8 flip-flops executing data processing in 32-bit units, and the sixth selector 
is constitutecf so that the outputs of the second, fourth, sixth and eighth flip-flops from the bottom from among the flip- 
flops are inputted therein, and that It outputs one of these. 

to [0027] Also, through the input into the seventh selector of the output of the intermediate register/Shift Row transfor- 
mation circuit and the Input into the second selector of the output of the 1 Sub Byte processing circuit, a single circuit 
can be used for the Sub Byte processing circuit and the Byte Sub transformation circuit of the round processing unit 
[0028J From the following detailed description in conjunction with the accompanying drawings, the foregoing and 
other objects, features, aspects and advantages of the present Invention will become readily apparent to those skilled 

45 mtheart 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0029] 

FIG. 1 is a block diagram of AES "processing using the Rijndael algorithm; 
FIG. 2 is a key schedule program Est; 

FIG. 3 is a block diagram showing one envisioned circuit implementation; 

FIG. 4 is a block diagram of a round function unit adopted in a first embodiment of the present invention; 
55 FIG. 5 is a block diagram showing an intermediate register/Shltt Row transformation circuit; 

FIG. 6 fs a block diagram showing a Mix Column transformation circuit; 
FIG. 7 is a block diagram showing the constitution of a multiplication unit; 
FIG. B is a block diagram showing another constitution of a multiplication unit; 



4 

PAGE 8/21 * RCVD AT 6/4/2006 1 1 :27:03 AM [Eastern Daylight Time] * SVR:USPTO-EFXRF-3/10 * DNI8:2738300 * C8ID:661 -460-1 986 * DURATION (mm-ss): 13*46 



6/4/2006 9:27 AM FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8 300 PAGE: 009 OF 135 

EP 1 271 839 A2 

FIG. 9 is a block diagram showing a key schedule unit; 
FIG. 10 is a block diagram showing a Byte Sub transformation circuit; 
FIG. 11 is a block diagram showing a matrix operation circuit for encryption; 
FIG. 12 is a block diagram showing a matrix operation circuit for decryption; 
s FIG. 1 3 is a block diagram showing another example of a matrix operation circuit for encryption; and 

FIG. 1 4 is a block diagram showing another example of a matrix operation circuit for decryption. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

10 Round Function Unit 

[0030] The AES block cipher is an algorithm that encrypts/decrypts the 128 bit data with the 128 bit, 1 92 bit or 256 
bit key. As shown In FIG. 1 , it comprises a key schedule unit 10 that generates a plurality of round keys from the cipher 
key, and a round function unit 20 that uses the round keys inputted from the key schedule unit 1 0 to encrypt and decrypt. 

is The pund function unit 20 performs such processing as XOR operations, Byte Sub transformation processing, Shift 
Row transformation processing, Mix Coiumn transformation processing, Round Key Addition processing. . 
[0031] The first embodiment of the present Invention is a circuit for implementation of this round function unit 20, 
and the constitution of this circuit is shown In FIG. 4. Each circuit block executes 32-blt processing with the exception 
of Shift Row transformation processing, which is 1 28-bit processing; transfer of data between circuit blocks is executed 

so in 32-bit units. 

[0032] This round function unit contains: an input register 201 that temporarily stores input data; a first selector 202 
that selects 32-blt data from trie 128-bit Input data; a second selector 203 Into one input terminal of which the output 
of the first selector 202 is inputted; a first Round Key Addition circuit 204 into which the output of the second selector 
203 is inputted; an add data selector 205 that inputs into the first Round Key Addition circuit 204 an expanded key 

25 segment or u Cr"; an intermediate register/Shift Row transformation circuit 206 that stores the output value of the first 
Round Key Addition circuit 204 and executes Shift Row transformation in 128-bit units; a Byte Sub transformation 
circuit 207 into which intermediate register/Shift Row transformation circuit 206 values are inputted and which executes 
Byte Sub transformation; a second'Round Key Addition circuit 208 into which Intermediate register/Shift Row transfor- 
mation circuit 208 values are inputted for each 32 bits; an add data selector 209 which inputs into the second Round 

30 Key Addition circuit 208 an expanded key segment or "0"; and a Mix Column transformation circuit 21 0 which executes 
Mix Coiumn transformation on the output of the second Round Key Addition circuit 208. The outputs of the first selector 
202, Byte Sub transformation circuit 207, Mix Column transformation circuit 210, and. intermediate register/Shift Row 
transformation circuit 206 are inputted into the second selector 203, and one of these outputs is outputted to the first 
Round Key Addition circuit 204. 

35 ■ - 

Operation Schedule during Encryption 

[0033] The operation schedule during encryption in the round function unit is shown in Table 2. 

40 



45 
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[Table 2 J 



Round Function Operation Schedule 
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Round 


Cycle 








0 


000-003 


Round Key Addition 


a 


10 




004-007 


oyw oud i ransiw t nation 


D 


t 

I 


OOS 


Shift Row Transformation 


c 


15 




www v • *■ 


mix uoiumn I ranstorrnation 
Round Key Addition 


c 






oyxe oud i ransTormation 


D 




2 


017 


Shift Row transformation 


C 


20 




ni ft— no i 


Mix Column Transformation 
Round Key Addition 


c 






Omitted 






25 














' #1 


Bvto Sub Transformation 


b 




NH 


(Nr-1)*9-1 


Shift Row Transformation 


c 


30 




<Nr-1)*9 - 
(Ni-1)*9+3 


Mix Column Transformation 
Round Key Addition 


c 






#2 


Byte Sub Transformation 


b 


35 


Nr 


Nr*fr-1 


Shift Row Transformation 


d 






Nr*9- 
Nr*9+3 


Round Key Addition 


d 



40 



#1:(NM)*9-5-(NM 3*9-2 
#2: Nr*9-5 - Nr*$-2 



45 



Note: The table shows operations during encryptioa 
In decryption, the order of round key and Mix 
Cofurnn processings Is switched. 



so 



55 



[0034] Here, In round 0, addrtion of an expanded key segment Is executed by the first Round Key Addition circuit 
204 with a selector position of "a" for the second selector 203. Input data In the input register 201 Is selected In 32 bit 
units by the first selector 202 and inputted into the first Round Key Addrtion circuit 204, and to this is added a portion 
of a round key, Inputted from the key schedule unit, this portion being a 32-bit segment of the expanded key. While the 
Input data and the expanded key are being changed into 32-bit units, the first Round Key Addition circuit 204 executes 
addition processing, and the XOR processing of the XOR unit 22 In RG, 1 Is thereby executed on 1 28-bit processing 
blocks In the 4 cycles of cycles 000 through 003. The result of the operation by the first Round Key Addition circuit 204 
Is stored in order In 32-bit units in the intermediate register/Shift Row transformation circuit 206. 
[0035] in round 1 , the round processing 23 in FIG. 1 Is executed, and Byte Sub transformation processing 31 , Shift 
Row transformation processing 32, Mix Column transformation processing 33, and Round Key Addition processing 34 
are executed. Thus, first of all, in cycles 004 through 007, with a selector position of "b" for the second selector 203, 
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the data stored In the intermediate register/Shift Row transformation circuit 206, while being shifted in 32-bit units, is 
read out and Inputted into the Byte Sub transformation circuit 207. At this time, by making the data to be selected by 
the add data selector 205 "0\ the first Round Key Addition circuit 204 is put into a masked state. The result of the 
operations of Byte Sub transformation circuit 207 is stored In order in 32-bit units in the Intermediate register/Shift Row 
5 transformation circuit 206. Thus Byte Sub transformation processing performs on 128 bits, and the result is stored in 
the Intermediate register/Shift Row transformation circuit 206. 

[0036J Next, in cycle 008, Shift Row transformation processing Is executed. The intermediate register/Shift Row • 
transformation circuit 206 is capable of executing Shift Row transformation processing in 128-bit units, and in this cycle - 
0Q8, 128-brt Shift Row transformation processing is executed. At this time, the selector position of the second selector 

10 203 may be any position, but in consideration of the processing in the next cycle, a position of "c" is preferable. 

[0037] In cycles 009 through 0012, Mix Column transformation processing and Round Key Addition processing are 
executed. Herein, the data stored In the intermediate register/Shift Row transformation circuit 206, while being shifted 
in 32-bit units, is read out and inputted Into the second Round Key Addition circuit 208. At this time, by making the data 
to be selected by the add data selector 209 a 0\ the second Round Key Addition circuit 208 is put into a masked state. 

'5 By setting the selector position of the second selector 203 at "c", the data upon which Mix Column transformation 
processing has been executed at the Mix Column transformation circuit 21 0 is Inputted into the first Round Key Addition 
circuit 204 via the second selector 203. An expanded keysegmentto be inputted from the key schedule unit is selected 
for data to be selected by the add data selector 205, and this data undergoes Round Key Addition processing at the 
first Round Key Addition circuit 204. The result of the Mix Column transformation processing at the Mix Column trans- 

20 formation circuit 210 and the Round Key Addition processing at the first Round Key Addition circuit 204 are, while 
being each shifted in 32-bit units, stored in the intermediate register/Shift Row transformation circuit 206. Thus, the 
result of the 1 28 bits upon which Mix Column transformation processing and the Round Key Addition processing were 
executed in cycles 009 through 01 2 are stored in the intermediate register/Shift Row transformation circuit 206. In this 
manner, one round of processing is executed in the 9 cycles of cycles 004 through 012. 

25 [0038] Next, in rounds 2 through (Nr-1 ), the same processing as In round 1 is executed (however, Nr is the number 
of processing rounds including the final round, and as shown In Table 1 , the number of rounds will differ according to 
key length). 

[0039] In round Nr (the final round), the final round processing 24 of FIG. 1 is executed; this comprises Byte Sub 
transformation processing 35, Shift Row transformation processing 36 and Round Key Addition processing 37. 

30 £0040] Thus in cycles (Nr*9-5) through (Nr*9-2), with the selector position of the second selector 203 at "b", data 
stored Ih the intermediate register/Shift Row transformation circuit 206, while being shifted in 32-bit units, is read out 
and inputted into the Byte Sub transformation circuit 207. At this time, by making the data to be selected by the add 
data selector 205 "0 M , the first Round Key Addition circuit 204 is put into a masked state: The result of the operation 
of the Byte Sub transformation circuit 207 is stored in order in 32-blt units in the intermediate register/Shift Row trans- 

35 formation circuit 206. Thus Byte Sub transformation processing of 128 bits is performed, and the result Is stored in.the 
intermediate register/Shift Row transformation circuit 206. 

[0041] . Next, In the (Nr*9-1) cycle, 128-blt Shift Row processing is executed. At this time, the selection position of 
the second selector 203 may be any position, but in consideration of the processing of the next cycle, a position of n d" 
is preferable; 

4o [0042] In the (Nr*9) through (Nr*9+3) cycles, Round Key Addition processing is executed. Specifically, by making 
the selector position of the seco nd selector203 b d w , the data stored In the intermediate register/Shift Row transformation 
circuit 206, while being shifted In 32-bfl units, te read out and inputted into the first Round Key Addition circuit 204 via 
the second selector 203. At this time, by making data to be selected by the add data selector 205 ah expanded key 
segment to be inputted from the key schedule unit, the first Round Key Addition circuit 204 adds 32-bit round keys. 

45 The result of The Round Key Addition processing by the first Rou nd Key Addition circuit 204 is stored in the intermediate 
register/Shift Row transformation circuit 206 while being shifted in 32-blt units. Thus In the (Nr*9) through (Nr*9+3) 
cycles, the result of the Round Key Addition processing on the 128 bits is stored In the intermediate register/Shift Row 
transformation circuit 206. In this manner, in the 9 cycles from (Nr*9-5) through (Nrs+3), final round processing Is 
executed. 

so 

Operation Schedule during Decryption 

[0043] Operations during decryption in this round function unit are performed In the reverse orderto operations during 
encryption. This operation schedule Is shown in Table 3. 

55 
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[Table 3] 

Round Function Operation Schedule 



Round 


Cycle 


Processing 


SEL_B 


0 


000-003 


Round Key Addition 


a 




004 


Shift Row Transformation 


b 




005-008 


Byte Sub Transformation 


b 


1 


009-012 


Round Key Addition 
_Mix Column Transformation 


c 




013 


Shift Row Transformation 


b 




014-017 


Byte Suta Transformation 


b 


2 


018-021 


Round Key Addition 

Mix Column Transformation 


c 




Omitted 








(Nr-1)*9-5 


Shift Row Transformation 


b 




#1 


Byte Sub Transformation 


b 


Nr-1 


(Nr-1)*9 - 
<Nr-1>9+3 


Round Key Addition 

Mix Column Transformation 


c 




Nr*9-5 


Shift Row Transformation 


b 




. #2 


Byte Sub Transformation 


b 


Nr 


Nr*9- 
Nr*9+3 


Round Key Adoption 


d 



#1 :(Nr-1)*9-4 - (Nr-1)*9-I 
#2:Nr*9-4- Nr*9-1 



30 [0044] In round 0, with the selector position of the second selector 203 at "a", the first Round Key Addition circuit 

204 adds expanded key segments. Input data In the input register 201 is selected in 32-bit units by the first selector 
202 and inputted into the first Round Key Addition circuit 204. and from the round key to be Inputted from the key 
schedule unit, a 32-bft expanded key segment Is added. At this time, data to be inputted via the first selector 202 is 
inputted in an order that is the reverse qf the input order for encryption, and the input order of the expanded key 

35 segments to be inputted from the key schedule input is also the reverse of the input orderfor encryption. In this manner, 
as the input data and expanded key are changed every 32 bits, the first Round Key Addition circuit 204 executes add 
processing, thereby allowing execution of Round Key Addition processing on a 128-bit processing block in cycles 000 
through 003. The result of the operations of the first Round Key Addition circuit 204 Is stored in 32-bit units In the 
intermediate register/Shift Row transformation circuit 206. 

40 [0045] In round 1*, processing is performed in the order of Shift Row transformation, Byte Sub transformation, Round 
Key Addition, and Mbc Column transformation. For this reason, first, In cycle 004, In the intermediate register/Shift Row 
transformation circuit 206, Shift Row transformation processing is executed In 128-bit units. In this case the processing 
is the same as the Shift Row transformation processing during encryption. Also, the selector position of the second 
selector 203 may be any position, but in consideration of the processing in the next cycle, a position of "b" is preferable. 

45 [0046] Next, in cycles 005 through 008, with a selector position of "b" forthe second selector 203 f data stored in the 
Intermediate register/Shift Row transformation circuit 206, while being shifted in 32-bit units, Is read out and Inputted 
into the Byte Sub transformation circuit 207. At this time, by making the data to be selected by the add data selector 

205 m 0 n , the first Round Key Addition circuit 204 is put Into a masked state. The result of the operation by the Byte Sub 
transformation circuit 207 is stored In order in the intermediate regfster/Shift Row transformation circuit 206 In 32-bit 

. 50 units. In this case, the Byte Sub transformation processing is executed so as to be the inverse of the transformation 
processing during encryption; this will be discussed below. In this manner, Byte Sub transformation processing is 
performed on 128 bits, and the result is stored in the intermediate register/Shift Row transformation circuit 206. 
[0047] In cycles 009 through 01 2, Round Key Addition processing and Mix Column transformation processing are 
executed. Here, data stored in the intermediate register/Shift Row transformation circuit 206, while being shifted In 
*5 32-bft units, is read out and inputted into the second Round Key Addition circuit 208. At this time, data selected by the 
add data selector 209 is made the expanded key segment Inputted from the key schedule unit. Also, with the selector 
position of the second selector 203 at "c", the output of the Mix Column transf omnation circuit 21 0 is inputted into the 
first Round Key Addition circuit 204 via the second selector 203. At this time, by making the data to be selected by the 
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add data selector 205 "0", the first Round Key Addition circuit 204 is put into a masked state. In this case, Mix Column 
transformation processing is executed In such a manner as to be transformation processing that is the inverse of the 
transformation processing during encryption; this will be explained in detail below, Thus the 128-bit resultant of the 
Round Key Addition processing by the second Round Key Addition circuit 208 and of the Mix Column transformation 
5 processing by the Mix Column transformation circuit 210 is stored in the intermediate register/Shift Row transformation 
circuit 206. In this manner, one round of processing is executed In the 9 cycles of cycle 004 through 012. 
[0048] Next, in rounds 2 through (Nr-1 ), the same processing as in round 1 Is executed (however, Nr Is the number 
of rounds including the final round, and as shown in Table 1 , different numbers of rounds are stipulated depending on 
key length). 

10 [0049] In round Nr (the final found), Shift Row transformation processing, Byte Sub transformation processing and 
Round Key Addition processing are executed. 

[0050] For this reason in cycle (Nr*9-5), 128-bit Shift Row transformation processing is executed. At this time, the 
selector position of the second selector 203 may be any position, but in consideration of the processing of the next 
cycle, a position of M b" Is preferable. 

1* [0051] Next, In cycles (Nr*9-4) through (Nr*9-1), with the selector position of the second selector 203 at M b", data 
stored in the intermediate register/Shift Row transformation circuit 206, while being shifted in 32-bit units, is read out 
and Inputted into the Byte Sub transformation circuit 207. At this time, by making the data to be selected by the 205 
"0", the first Round Key Addition circuit 204 Is put into a masked state. Result of the operation by the Byte Sub trans- 
formation circuit 207 is stored in order In the intermediate register/Shift Row transformation circuit 206 in 32-bit units. 

*0 Thus Byte Sub transformation processing is conducted on 12B bits, and the result is stored in the Intermediate register/ 
Shift Row transformation circuit 206. 

[0052] In cycles (Nr*9> through (Nr*9+3), Round Key Addition processing is executed. Here, by making the selector 
position of the second selector 203 M d B , data stored in the intermediate register/Shift Row transformation circuit 206, 
while being shifted in 32-bit units, Is read out and inputted into the first Round Key Addition circuit 204 via the second 

25 selector 203. At this time, by making the data to be selected by the add data selector 205 an expanded key segment 
Inputted from the key schedule unit, 32-bit Round Key Addition processing by the first Round Key Addition circuit 204 
can be executed. The result of the Round Key Addition processing in the first Round Key Addition circuit 204 Is, while 
being shifted in 32-blt units, stored in the intermediate register/Shift Row transformation circuit 206. Thus In cycles 
(Nr*9) through (Nr*&+3), the 1 28-bit result of Round Key Addition processing is stored in the intermediate register/Shift 

30 Row transformation circuit 206. In this manner, the final round processing Is executed in the 9 cycles from cycles 
(Nr*9-5) through (Nr*9+3). Intermediate Value Register/Shift Row Transformation Circuit 
[0053] FIG. 5 shows one embodiment of the Intermediate value register/Shift Row transformation circuit 
[0054] In this constitution, 4 shift registers that process in 8-bit units are provided. The first shift register has 4 flip- 
flops, flip-flops 302, 304, 306 and 308, connected In series, andtoeachoftheflip-flops302,304,306, and 308 selectors 

35 301 , 303, 305, and 307, which select inputs, are respectively connected. Input data I NO and the output of the flip-flop 
302 are inputted into the first selector 301 , and either one of these is inputted into the flip-flop 302. Similarly, into the 
second through fourth selectors 303, 305 and 307, the outputs of the previous-stage flip-flops 302, 304, and 306, as 
well as the outputs of the flip-flops 304, 306, and 308 are inputted, and one of these is inputted jnto the flip-flops 304, 
306 and 308, respectively. 

40 [0055] The second shift register has 4 flip-flops, flip-flops 312, 314, 316 and 318 connected In series; and to each 
of the flip-flops 31 2, 31 4, 31 6 and 31 8, selector 

input data IN1 and the outputs of the flip-flop 312 and the flip-flop 318 are inputted into the first selector 311 ,'and one 
of these is inputted Into the flip-flop 312. Similarly, into the second through fourth selectors 313, 315 and 317, the 
outputs of the previous-stage flip-flops 312, 314, and 316, as well as the outputs of the flip-flops 314, 316, and 318 

45 are inputted, and one of these is Inputted into the flip-flops 314, 316 and 318, respectively. 

[0056] The third shift register has 4 flip-flops, flip-flops 322, 324, 326 and 328 connected in series; and to each of 
the flip-flops 322, 324, 326 and 328, selectors 321 , 323, 325, and 327, which select input, are respectively connected. 
Input data IN2 and the outputs of the flip-flop 322 and the flip-flop 326 are inputted into the first selector 321 , and one 
of these Is Inputted into the flip-flop 322. Similarly, into the second selector 323, the output of the respective previous- 

so stage flip-flop 322, the output of the flip-flop 324, and the output of the f lip-flop 328 are inputted, and one of these is 
Inputted into the flip-flop324. Into the third selector 325, the output of the previous stage flip-flop 324, the output of the 
flip-flop 326, and the output of the flip-flop 322 are inputted, and one of these is inputted into the flip-flop 326. Into the 
fourth selector 327, the output of the previous stage flip-flop 326, the output of the flip-flop 328 and the output of the 
fiip-flop 324 are inputted, and one of these is inputted into the flip-flop 328. 

55 [0057] The fourth shift register has 4 flip-flops, flip-flops 332, 334 r 336 and 338 connected in series; and to each of 
the flip-flaps 332, 334, 336 and 338, selectors 331 , 333, 335, and 337, which select input, are respectively connected. 
Input data IN3 and the outputs of the flip-flop 332 and the flip-flop 334 are inputted into the first selector 331 , and one 
of these is inputted Into the flip-flop 332. Similarly, into the second selector 333, the output of the prevlous^stage flip- 
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10 



15 



flop 332, the output of the flip-flop 334, and the output of the flip-flop 336 are inputted, and one of these is inputted into 
theflip-flop334. Into the third selector 335, the ouiput of the previous stage flip-flop 334, the output of the flip-flop 336, 
and the output of the flip-flop 338 are inputted, and one of these is inputted into the flip-flop 336. Into the fourth selector 
337, the output of the previous stage flip-flop 336, the output of the flip-flop 338, and the output of the flip-flop 332 are 
inputted, and one of these is inputted into the flip-flop 33B. 

[0058] When an intermediate value register/Shift Row transformation circuit thus constituted is operated as an In- 
termediate value register for the various processing stages, by inputting data into Input data IN0 through IN3 in 8-bit 
units : data processed in each cycle in 32-bit units can be stored. Furthermore, by making the selector positions of the 
selectors 301 through 337 "b", and, while shifting the data in fiip-flops to the next stage, Inputting data In 8-bit units 
into input data IN0 through IN3 respectively, 128 bits of data can be inputted in 4 cycles. When the Input of 1 28 bits of 
data has been completed, the 4 8-bit data inputted in the first cycle are latched in the flip-flops 308, 318, 328, and 338, 
respectively. 

[0059] An explanation will now be given of the operations of the Shift Row transformation. 

[0060] In the Rijndael algorithm, input data is segmented Into 8-bit data segments aOO through a33 and these are 
processed as a matrix; the direction of the shiftfor decryption is the reverse of the direction for encryption. In the present 
invention, the order in which data Is processed is the order of the column array; by processing in reverse order for 
encryption and for decryption, Shift Row transformation can be achieved using the same processing. 



£0 



[Table 4] 



Data Array and Processing Order 



25 



Row 



Column^ 



Encryption 





aOt 


a02 


a03 




a11 


al2 


a13 


mm 


a2t 


a22 


923 




*31 


a32 


a33 



Column 



Row 





aOO 


aOI 


a02 




1 


a10 


all 


a12 






a20 


a21 


a22 






a30 


a3l 


a32 


m 



Decryption 



35 



40 



[0061] As shown on Table 4 left, when.the data-in rows is arranged in order starting from the column to the far left, 
for encryption, processing is executed starting from the column to the far left. For decryption, as seen In Table 4 right, 
processing is executed starting from the column to the far right. 

[0062] In Shift Row transformation processing for encryption, the rows of a data array arranged as oh Table 4 left 
are cyclically shifted different byte-lengths. Specifically, as shown in Table 5, the first row is not shifted, row 2 is cyclically 
shifted one byte to the left, row 3 is cyclically shifted 2 bytes to the left, and row 4 fo cyclically shifted 3 bytes to the . 
left. This causes the pre-processing state, shown in Table 5 left, to become the post-processing state shown In Table 
6 right. 



[Table 5] 
[ Encryption ] 



Pre-processing Post-processing 



a 00 


aOI 


a02 


a03 




aOO 


a01 


a02 


a03 


a10 


air 


a12 


a13 


Cyclic Shift 1 Byte Left . 


all 


a12 


a13 


a10 


a20 


a21 


a22 


a23 


Cyclic Shift 2 Bytes Left 


a22 


a23 


a20 


a21 


a30 


a31 


a32 


a33 


Cyclic Shift 3 Bytes Left 


a33 


a30 


a31 


a32 
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[0063] For decryption, so as to achieve the Inverse of the processing during encryption, the rows of a data array 
arranged as on Table 4. left are cyclically shifted different byte-lengths. Specifically, as shown in Table 5, the first row 
is not shifted, row 2 Is cyclically shifted 3 bytes to the left, row 3 is cyclically shifted 2 bytes to the left, and row 4 is 
cyclically shifted 1 byte to the left. This causes the pre-processing state, shown in Table 6 left, to become the post- 
s processing state shown in Table 6 right. 

[Table 6} 
10 [ Decryption ] 

Pre-processing Post-processing 



aOO 


a01 


a02 


a03 




aOO 


a01 


a02 


a03 


a10 


a11 


a12 


a13 


Cyclic Shift 3 Bytes Left 


a13 


a10 


a11 


a12 


aZO 


a21 


a22 


a23 


Cyclic Shift 2 Bytes Left 


a 22 


a23 


a20 


a2t 


a30 


a31 


a32 


a33 


Cyclic Shift 1 Byte Left 


a31 


a32 


a33 


a30 



[0064] In the present embodiment, the intermediate value register/Shift Row transformation circuit shown In FIG. 5 
is used. Thus, at the stage when the input of 128 bits of data has been completed, the data that was inputted in the 
initial cycle is latched in the final stage flip-flops 308, 31 8, 328, and 338, and data Is latched In order in the previous 
25 etage flip-flops. When data is to be outputted, as it is being shifted 1 byte to the right at one cycle, data is outputted 
from the final stage flip-flops at the far right. Therefore when data is rearranged in consideration of the fact that the 
data processing order starts from the far right, the state before Shift Row processing for encryption takes the form 
shown In Table 7 left. 

30 

[Table 7] 

[ Encryption ] 

Pre-processing Postprocessing 
35 a03 a02 a01 aOO a03 a02 a01 aOO 

a13 a12 all a10 Cyclic Shift 1 Byte FSght a10 a13 a i2 a 1l 

4o . ji23 a22 a21 a20 Cyclic Shift 2 Bytes Right a21 a20 a23 a22 

a33 a32 a31 a30 Cyclic Shift 3 Bytes Right a 32 a31 a30 a33 



45 [0065] To perform the same cyclicshlft as in Table 5, as shown In Table 7 right, the tlrst row is not shifted, the second 
row is cyclically shifted 1 byte to the right, the third row is cyclically shifted 2 bytes to the right, and the fourth row Is 
cyclically shifted 3 bytes to the right 

[0066] In order to perform this kind of Shift Row transformation processing for encryption, the intermediate value 
register/Shift Row transformation circuit shown in FIG. 5 is used to switch and control the selectors, and to replace 

so data at once, in 128-bit units. 

[0067] For the first row, because a shift is unnecessary, the selector positions of the selectors 301 , 303, 305 and 307 
are set at "a". For the second row, because of the cyclic shift 1 byte to the right, the selector position of th as elector 
311 is set at V, and the other selectors 313, 315, and 317 are set at selector position u b". For the third row, because 
of the cyclic shift 2 bytes to the right, the selector position of the selectors 321 , 323, 325 and 327 is set at "c". For the 

55 fourth row, because of the cyclic shift 3 bytes to the right, the selector position of the selectors 331 , 333, 335 and 337 
Is set at "c". 

[0068] By designating the output data being latched by the flip-flops In the intermediate value register/Shift Row 
transformation circuit prior to execution of the above-described Shift Row transformation processing as bOO through 
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b33 respectively, as shown in FIG. 5 the output data becomes latched to the output of the flip-flops In an array as shown 
In Table 8 right. 



[Table 8] 



Shift Row Transformation Operation Model 



10 



15 



Prior to Shift Row 



Subsequent to Shift Row 



b03 


b02 


b01 


bOG 


■3 


b03 


b02 


b01 


bOO 


b13 


b12 


b11 


blO 


b10 


b13 


b12 


b11 


b23 


b22 


b21 


b20 




b21 


b20 


b23 


b22 


b33 


b32 


b31 


b3Q 


b32 


b31 


b30 


b33 



20 



[0069] For decryption, because processing Is executed from the right column as in Table 4, the data is arrayed as 
shown in Table 9 left. 



25 



30 



35 



40 



45 



50 



[Table 9] 

[ Decryption ] 



Pre-processing 



Post-processi ng 



a 00 


a01 


a02 


a03 




aOO 


aOI 


a02 


a03 


alO 


a11 


a12 


a13 


Cyclic Shift 1 Byte Right 


a13 


alO 


a11 


a12 


a20 


a21 


a22 


a23 


Cyclic Shift 2 Bytes Right 


a22 


a23 


a20 


a21 


a30 


e31 


a32 


a33 


Cyclic Shift 3 Bytes Right 


a31 


a32 


a33 


a30 



[0070] To perform the same cyclic shift as in Table 6, as shown in Table 9 right, the first row Is not shifted, the second 
row Es cyclically shifted 1 byte to the right, the third row Is cyclically shifted 2 bytes to the right, and the fourth row is 
cyclically shifted 3 bytes to the right 

[0071] Therefore, as during the above-described Shift Row transformation for encryption, by setting me selector 
values of the selectors in the intermediate value register/Shift Row transformation circuit and performing exactfy the 
same processing as the cyclic shift for. encryption as shown in Table 8, Shift Row transformation processing for de- 
cryption can be executed. 

[0072] in this way, the same Intermediate value register/Shift Row transformation circuft can be used for Shift Row 
transformation processing for both encryption andrdecryption. Mix Column Transformation Circuit 
[0Q73] The Mix Column transformation circuit adopted In this. embodiment is shown In FIG. 6. 
[0074] This Mix Column transformation circuit Includes 4 operation units, a first operation unit 351 , a second operation 
unit 352, a third operation unit 353 and a fourth operation unit 354. The first operation unit 351 comprises afirst mul- 
tiplication unit 361 , a second multiplication unit 362, a third multiplication unit 363, and a fourth multiplication unit 364, 
each of which executes operations in B-bit units, and an XOR circuit 365 that XORs the outputs of the multiplication 
units 361 through 384. The second operation unit 352, third operation unit 353, andthe fourth operation unit 354, which 
are not shown In the figure, also have a first through fourth multiplication unit and an XOR circuit 
[0075] When a column j comprising (aOj, a1 j r a2j, a3j) is transformed Into a column comprising (bOJ, b1j, b2j, b3J), 
the data (bOj, b1j, b2j, b3J) of column J after transformation can be expressed as follows. 
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Encryption 
[0076] 

5 

bOj = 02*a0j + 03*af j + 01 *a2j + 01 *a3J 
b1 j = oraOj + 02*a1j + 03*a2j + 01 *a3j 

10 

b2j m 01 *aOj + 01 *a1 j + 02*a2J + 03*a3J 



r5 b3] = 03*a0j + Or a1 j + 01 *a2j + 02*a3j 

Decryption 
[0077] 

20 

bOj = OE*aOJ + 0B*a1 j + 0D*a2j + 09*a3j 
25 b1j = 09*a0j + OE*a1j + 0B*a2J + OD*a3j 



b2J = OD'aOj + 09*a1 j + 0E*a2j + 08*a3j 

30 

b3j = 0B*a0j + 0D*a1j +. 09*a2j + 0E"a3j 
I0078J . The coefficients by which each column is multiplied are described as hexadecimal. 

[0079] To execute this Mix Column transformation processing, the 32-bit data columns are Inputted into the first 
35 through fourth operation units 351 through 354, respectively, and multiplication by the first through fourth operation 
units 361 through 364 and the operation by the XOR circuit are performed. . 

[0080] The multiplication units 361 through 364 of the operation units 351 through 361 are provided with a coefficient 
for encryption and a coefficient for decryption, so that they can be used for both encryption and decryption, and they 
are constituted so that selection of a coefficient can be made during operations. 
40 [0081]' The first multiplication unit 361 of the operation unit 351 can multiply inputted data by either 0x02 or OxOE. 
The second mu implication unit 362 can multiply inputted data by either 0x03 or OxOB. The third multiplication unit 363 
can multiply inputted data by either OxOi or OxOD. The fourth multiplication unit 364 can multiply inputted data by either 
0x01 or 0x09. 

[0082} The first multiplication unit ofthe second operation unit 352 can multiply Inputted data by either 0x01 or0x09. 

43 The second multiplication unit can multiply Inputted data by either 0x02 or OxOE. The third multiplication unit can multiply 
inputted data by either 0x03 or OxOB. The fourth multiplication unit can multiply inputted data by either 0x01 or OxOD. 
[0083] The first multiplication unit of the third operation unit 353 can multiply Inputted data by either 6x01 or OxOD. 
The second multiplication unit can multiply inputted data by either 0x01 or 0x09. Thethird muitiplication unit can multiply 
inputted data by either 0x02 or OxOE. The fourth multiplication unit can multiply Inputted data by either 0x03 or OxOB. 

so [0084] The first multiplication unit of the fourth operation unit 354 can multiply inputted data by either 0x03 or OxOB. 
The second multiplication unit can multiply inputted data by either 0x01 or OxOD. The third multiplication unit can multiply 
inputted data by either 0x01 or 0x09. The fourth multiplication unit can multiply Inputted data by either 0x02 or OxOE. 
[0085] By changing the coefficients used for encryption and for decryption In the first through fourth multiplication 
units ofthe first through fourth operation units 351 through 354, the same circuit constitution can be shared for both 

55 encryption and decryption. Multiplication Units of the Mix Column Transformation Circuit 

[0086] An example of the multiplication units included in the Mix Column transformation circuit is shown in FIG. 7. 
10087] The muitiplication units multiply Inputted 8-bit data (a7, a6, a5, a4, a3, a2, a1 , aO) with a coefficient (b3, b2, 
b1 , bO). For this, partial product operation units 375 through 378 are provided, which muitipfy the 8-bit data (a7, a6, 
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a5, a4, a3, a2, a1 , aO) with each bit of a coefficient (b3, b2, b1 , bO). Also provided are: an addition unit 371 that shifts 
the result of the partial product unit 376 1 bit and adds this to the result of the partial product unit 375, which multiplies 
using the highest bit of a coefficient; an addition unit 372 that shifts the resultant of the partial product unit 377 1 bit 
moreover and adds this; and an addition unit 373 that shifts the resultant of the partial product unit 378 1 bit moreover 
5 and adds this. There is also provided a division unit 374 Into which the resultant of the addition unit 373 and overflow 
carried over from the addition units 371 to 373 are inputted and divided by a divisor. 

[0083] With this constitution, by selectively setting as the coefficient (b3, b2, b1 , bO) a coefficient for encryption and 
a coefficient for decryption, the mixed column transformation processing can be used both for encryption and for de- 
cryption. 

w [0089] As described above, there are 2 coefficients, set as (b3, b2, b1 , bO), established for each multiplication unit. 
There are 4 combinations of coefficients in the multiplication units, namely, (0x02, OxOE), (0x03, OxOB), (0x01 , OxOD), 
(0x01, 0x09). When these are expressed as 4 low order bits, they become (0010, 1110), (0011, 1011), (0001, 1101), 
and (0001 , 1 001). The operations for common bits in these coefficients do not perform control of the partial products; 
rather, the operations for different bits control the addition processing; this allows the circuit to be reduced in scale. 

15 [0090] For example, when the coefficients are the combination (0x01 , OxOD), they become (0001 ,1101 ) when ex- 
pressed in binary; by controliing whether or not the resuft of the addition of the partial product of the 2 upper bits is 
added to the partial product of the Jower2 bits, the selection and multiplication of 2 coefficients becomes possible. FIG. 
8 shows the circuit constitution for the coefficient combination (0x01 , OxOD). 

[0091] In FIG. 8, a first addition unit 381 that shifts inputted 8-bit data(a7, a6, a6, a4, a3, a2, a1, aO) 1 bit and executes 
20 addrtion processing thereupon. The output of the first addition unit 381 is inputted into a second addition unit 383 via 
a control logic circuit 382, This second addition unit 383 adds the result of the partial product operation by the uppermost 
bit of the coefficient, and it is constituted to shift inputted 8-bit data 3 bits and execute addrtion processing thereupon. 
[0092] A division unit 384 is provided into which the resultant of the operation of the addition unit 383 and the overflow 
carried over from the first addition unit 381 and the second addition unit 383 are inputted and divided- by a divisor. 
25 [0093] The control logic circuit 382, when a coefficient is 0x01 , does not output the output of the addition unit 381 , 
which is an upper 2-bit resultant. The control logic circuit 382 may be constituted so that, when a coefficient is OxOD, 
the output of the first addition unit 381 , which is an upper 2 bit result, Is outbutted to the addition unit 383 
[0094] Because the multiplication performed here is multiplication over GF (2 s ) where the irreducible polynomial is 
M(x) = x 8 + x^+x 3 + x+1, and the addition is over GF(2), they can be achieved with an XOR operation. 
. 30 [0095] In this manner, by controlling the addrtion of partial products in different bits of 2 coefficients, the circuit scale 
can be made smaller, enabling reduction of the scale of circuit. Key Schedule Unit 
[0096] FIG. 9 shows the circuit constitution of the key. schedule unit. 

[0097] The key schedule unit comprises, primarily, an expanded key generation logic unit 101 , an expanded key. 
register 120 and a key input register 131, 
35 [0098] The key fnput register 131 is a 256-bit register comprising 8 32-bit registers kO through k7, and a cipher key - 
is stored in 32-blt units starting from register kO and proceeding in order therefrom. When the cipher key is 256 bits, 
data is stored in all the registers kO through k7; when the cipher key is 192 bits, data is stored in registers kO through 
k5, and when the cipher key is 128 bits, data js stored in registers kO through k3. 

[0099] A selector 132 that selectively outputs one value from the registers kO through k7 is connected to the key 
40 Input register 1 31 . This selector 1 32 selects 32 bits of data from the 256-bit data of the key input register 131 and 
inputs this at the lowest position of the expanded key register 120. 

[0100] the expanded key register 120 is a shift register to which are connected In series 8 flip-flops 121 through 
128, which are capable of processing in 32-bit units, inputted into the flip-flop 128, which Is at the lowest position, Is 
the output of the sel ector 1 1 3, wh Ich selects the output of the selector 1 32 and the output of the expanded key generation 
** logic unit 1 01 . The output W7Key of the flip-flop 1 28 is Inputted into the flip-flop 1 27. The output W6Key of the flip-flop 
127 is Inputted Into the selector 112, which Is at the stage previous to the flip-flop 126. Inputted into the selector 112 
Is the output W6KEY of the flip-flop 127 and the output of the expanded key generation logic unit 1 01 , and one of these 
Is Inputted into the flip-flop 126. ' . 

[0101] the output W5KEY of the flip-flop 126 is Inputted into the flip-flop 125. The output W4Key of the flip-flop 125 
SO is inputted into the selector 1 11 , which is at the stage previous to the fJip-flop 124. Inputted into the selector 111 Is the 
output W4KEY of the flip-flop 125 and the output of the expanded key generation logic unit 101 , and one of these is 
inputted into the flip-flop 124: 

[0102] The output W3KEY of the flip-flop 1241s Inputted Into the flip-flop 123. The output W2KEY of the flip-flop 123 
is inputted into the flip-flop 1 22. The output W1 KEY of the flip-flop 1 22 Is Inputted into the flip-flop 121. 
55 [0103] The expanded key generation logic unit 101 Includes a ROM 1 02 in which an expanded key generation con- 
stant Rcon is stored, an AMD circuit 1 03 that ANDs a value read out from the ROM 102 and a signal RCON_EN, and 
an XOR circuit 1 04 which XORs the WOKE Y of the flip-flop 1 21 positioned at the top of the expanded key register 1 20 
and the output of the AND circuit 1 03, which have been inputted therein. 
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[0104] The expanded key generation logic unit 101 also includes a selector 105, into which the flip-flop 122 output 
W1 KEY, the flip-flop 124 output W3KEY, the flip-flop 126 output W5KEY, and the flip-flop 128 output W7KEY are in- 
putted, and which selectively outputs one of these. The output of the selector 105 is inputted into the Rot Byte clrcurt 
106, which rotates data, the selector 107, and selector 109. The output of the Rot Byte circuit 106 and the output of 
the selector 105 are inputted Into the selector 1 07, which supplies one of these to the Sub Byte circuit 1 08. The Sub 
Byte circuit 1 0B executes Byte Sub transformation processing in 32-bit portions, artd supplies the output thereof to the 
selector 109. Into the selector 109 are Inputted the output of the Sub Byte circuit 108 and the output of the selector 
1 05, one of which it outputs. The expanded key generation logic unit 1 01 also includes an XOR circuit 110, The output 
of the XOR circuit 1 04 and the output of the selector 1 09 are inputted into the XOR circuit 110, which then XORs these 
outputs. 

[0105] A key schedule unit thus constituted includes such functions as: 1) generation of the expanded key used in 
the Round Key Addition processing of the round function unit; 2) rewrite of the key input register during encryption, 
and setup of the expanded key initial value following completion of encryption and decryption; and 3) setup of expanded 
key initial value following rewrite of the key Input register during decryption. 

£0106] The round keys used In Round Key Addition processing of the round function unit must total 15, from the 
Initial round key and round key 01 through round key 14, when the key length is 256 bits. Each round key is made up 
of 1 28 bits, In correspondence with the processing block length; In order to assign the round keys to the 32-blt expanded 
key segments generated by the key schedule unit, a total of 60 expanded key segments WOO through W59 are required. 
These expanded key segments WOO through W59 are used in the order W00->W59 for encryption, and In the order 
W59-»W00for decryption. In this embodiment, as shown in Table 10, expanded key segments are generated in the 
order W00-»W59 for encryption, and in the order W59->W00 during decryption. 



2S 



30 



36 



40 



45 



50 



55 



15 

PACE 19/21 * RCVD AT 6/4/2000 1 1 :27:03 AM [Eastern Daylight Time] • SVR:U8PTO-EFXRF-3/10 ■ DNI8:2738300 * C8lD:6ei*460-1 986 * DURATION <mm-ss):13-46 



6/4/2006 9:27 AM FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 020 OF 135 



EP 1 271 83$ A2 



[ Tab 1 e 10] Expansion Key Schedule CThis Exampl a for 256-Bit Key Leneth) 
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No. 


Encryption 


Decryption 


00 


W0D=Ck0) 


W59 


■ 01 


WOMkD 


W58 


02 


W02=0c2) 


VW7 


03 


W03=(k3) 


W36 


04 


W04=(k4) 


W55 


05 


W05=(k5) 


W54 


06 


woe=<K6) 


W53 


07 


W07=(k7) 


W52 


08 


W08=W0O"Sub Byte(R a tByto(W07)rRcontt] 


WS1^W59^W5a 


09 


W09=Vy01*WQB 


W50=W5B~W57 


10 


W10=WttTWO9 


W49=^W57"W56 


11 


W11=VW»"WIO 


W4e=¥Y50"Siib Byte(Rot eytc(WS5))"Rc on [7] 


12 


Wi ^W04'Sub ByteCW1 1) 


W47=W55*W54 


13 


W13^W05~W12 


VWe=W54"WS3 


14 


W14*W06~W13 


W5=W53TW52 


16 


wi5*worvn4 


W44=W52~Sufe Byte(W51> 


16 


W16^V0a"Sub Byte<R<j* ByteCWI 5))~ Rcon[23 


W43=W51*W50 




W17=W0B^Via 


VT42=W50"W49 


18 


WT8=W10rw17 


W41=W49"W48 


19. 


W19=W11~W1B 


W4lWAf4B~Sub BytetRot Byt»(W47)rRcan[6] 


20 


VttO^WI 2~Sub BytaCWI 9) i 


W33^W47"W»6 


21 


W21=W3'W20 j 


ra7=WB"W45 


22 


W22=W14"W21 


W36=W45*W44 


23 


W23=W13~W22 


W33=W44"S«b ByteCW43) 




Omitted 




52 


W52=W44~Svb BytoCWSI) 


W0T=W1S"W14 


53 


W3=VW5 - W2 


WD6=Wi4 - W13 


34 


WS4=W4B~W53 


W05=W13"W12 


« 


W33=Wr*W34 


W04=W1 2~Sub BytcCm 1 ) 


56 


W5&=W48"Sub Byte<Rot ByteCWSB))* RcontT] 


W03^WI1*W10 


37 


W57=W49 #S W86 


VI02^W10"W09 


SB 


W58=W50*W57 


WQ1=W08*W08 


59 


W59=VY51~W5B 


WOO=W0rSub ByfcKRot Byto<VW>7)rReon[n 



Initial 

Round Key 



Round 
KeyOl 



Kay02 



Round 
Kev03 . 



Round 
Key04 



Round 
Kay05 



► Round 
Key 13 



* Round 
Koy14 



45 



50 



55 



[0107] The expanded key segment W08 for encryption, in accordance with the formula W0B=W00 A Sub Byte(Rot 
BytefWOZ^Rconfl], is obtained by XORIng WOO, Sub Byte(Rot Byte(W07) and theconstant Rcon[1]. Because A A A=* A, 
the expanded key segment W00 can be expressed as WOO^WOS^Sub Byte(Rot Byte(W07)) A Rcon[1], meaning that 
WOO can be generated from WOB and W07. Thus, for decryption, first W00=>W59 are generated, and then in the order 
that is the inverse of encryption, i.e., W59=>W00, expanded key segments are generated. In this manner, there is no 
need to store all the expanded keys for decryption in memory, making possible decryption processing wherein only 
the expanded key segments needed for each round are generated. 

[0108] An explanation will first be given of the generation of expanded key segments for the Round Key Addition 
function of the round function unit. 

[0109] As shown In Table 1 0, in the Round Key Addition function in each round, 4 expanded key segments having 
32 bits are used; because expanded key operations are performed in the background of the Mix Column transformation 
+ Round Key Addition function of the round function, 4 expanded key segments may be created in 4 cycles. For this 
reason, in a circuit constitution as shown in FIG. 9, 1 expanded key segment is generated in 1 cycle. The expanded 
key segment register 120 comprises a shift register, and the expanded key segments currently being used In a round 
function use the output W0KEY of the flip-flop 121. 
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[0110] The selector 105 (SEL_B) of the expanded key generation logic unit 1 01 , as shown In Table 11 , Is controlled 
so as to switch depending upon 2 different types of conditions, namely, key length and encryption/decryption. The 
selectors 111 , 112, and 113 (SEL_E through SELJ5), into which the output of the expanded key generation logic unit 
1 01 is Inputted, are set based on key length, as shown in Table 12. However, when a cipher key is inputted as an initial 
value, "b" is selected as the selector position for the selectors 111 through 1 1 3. The selectors 1 07 and 1 09 (SEL_C, 
SEL_D), as shown in Table 13, are controlled so as to switch depending upon the expanded key generation logic. The 
ROM 1 02 stores the constant Rconp], which is inputted to the XOR circuit 104, and the constant Rconp] corresponding 
to the address T is stored as 3hown in Table 14. 
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[Table 11] 



SEL_B Control 


Key length 


Encryption 


Decryption 


128bit 


W3KEY 


W1KEY 


192bit 


W5KEY 


W1KEY 


256bit 


W7KEY 


W1KEY 


[Table 12] 



40 



SEL_E through SELJ3 Control 


KBy length 


SEL-E 


SEL_F 


SEL_G 


128blt 


a 


b 


b 


192bit 


b 


a 


b 


256bit 


b 


b 


a 


{Table 13] 



SEL_C, SEL_D Control 


Logic 


SEL_C 


SEL_D . 


Expanded key 


W[l]-W[i-Nk] A W[l-t] 


* 


b 


W[i>W[NNk]ASub Byte(W[i-1]) 


b 


a 


W[l>WIi-Nk]ASub Byte(Rot Byte(W[i-1]))ARcori[i/Nk] 


a 


a 


Byte Sub 


c 


b 



*:dont care 



45 



50 



[Table 14] 



Rcon ROM Table 


Roon_Addr 


Hex 


Bin 


01 


0x01 


0000^0001 . 


02 


0x02 


0000_0010 


03 


0x04 


0000_0100 


04 


0x08 


0000_1000 


05 


0x10 


0001_0000 


06 


0x20 


0010 oooo 
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